OS X Crimeware Kit Emerges

Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox." Mac users are also being targeted by a new piece of scareware called MAC Defender.

Well?

[fuzzyfuzzyfungus]

All I want to know is whether this malware is worthy of the Apple platform or not: Does it use Grand Central Dispatch to efficiently allocate the load of multiple form-stealing processes between all my system's cores? Are the misleading dialog boxes that frighten me further into folly fully compliant with Apple's HID guidelines?

If I'm going to get Mac malware, I damn well better have the best malware experience that the industry has to offer. Heck, I'd probably even be willing to pay $20 for something that windows users get for free and linux nerds compile from source, if the interface is good enough...

Re:Masses reaction

[jo_ham]

Not wanting to go for a cheap "FTFY", I'll just say that the reaction of everyone imitating a Mac user's reaction will be yours.

The rest of us actual Mac users carry on as normal, just like the Linux users.

Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X), or does it count as more than one, since it's a tool kit. Is a swiss army knife one tool or several? :p

Re:Masses reaction

[bmo]

Nobody with a brain has ever claimed that OSX is impervious. And nobody with a brain has ever claimed that OSX is impervious to PEBCAK.

What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked. Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.

While OSX's advantage of using the Unix model of tossing permissions does not cover warez, the equivalent of purple gorillas on OSX or braindead users, even the small amounts of protection that OSX gives goes a long way in preventing network effects on the spread of malware.

--
BMO

Re:Masses reaction

[hairyfeet]

Actually, and I'll probably get flamed for saying this, you'd be surprised how many have bought the "you just can't infect a Mac!" meme. I got called into an SMB a few years back, where the guy instead of listening to me and paying me to set up a sensible top to bottom least permission approach bought into the "can't infect a Mac!" meme and then was shocked! shocked I tell you, when he found out he got pwned thanks to one of his kids wanting to watch a naughty video and getting the DNS changer bug.

You see the problem is something we that have been in the trenches for quite awhile (I started with Win 3.x, what was that? 20 years ago?) sadly run into far too often, it is what I like to call "magical thinking". it is the "If I use product X I won't have to change my habits or anything, and I'll be unhackable" bullshit. Hell I remember when firewall resellers were pushing the "if you have a firewall you are invisible and untouchable!" and it was bullshit then and it is bullshit now.

NEWS FLASH...ALL OSes can be hacked, full stop. ALL OSes are extremely complex pieces of code, with interactions on top of interactions with third party code thrown in the mix just for shits and giggles. There is NO perfectly unhackable OS and if there was one that person could hire Bill Gates to shine his shoes. The last real legitimate gripe about Windows, the brain dead "hey lets run everyone as admin!" finally died hard with Vista, so frankly all OSes are on about the same footing, as in TFA it all comes down to what the malware writer thinks is profitable.

Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide on writing Linux malware.

The ONLY solution is a top to bottom least permissions approach, not magical thinking. Least permissions and users not being so brain dead they actively help the malware writer is the ONLY solution.

As a final note let me give a recent example. I set up a box, had it locked down nicely, required password for admin, least permissions, yet it got pwned in under 45 days. Did I miss something? Nope, the user decided he just had to have Limewire, even though I told him not to, so he disabled the antivirus because it wouldn't in his words "shut up" and then promptly gave permissions to Limewire to do whatever it wanted. And boy did it, 60+ pieces of malware.

So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.